This paper was presented by Himanshu Anand and Chastine Menrige (Symantec) at VB2016 in Denver, CO, USA.
In the last year, there has been growing interest in a technique known as fileless infection, where malware authors compromise computers without writing any files to disk. This technique allows the threat to evade detection from file-scanning software while still remaining persistent.
This paper will explain the different fileless infection methods, as well as a new tactic which can allow attackers to perform fileless infection using a classic one-click fraud attack and non-PE files.
The first widespread threat we saw using the fileless infection technique was Trojan.Poweliks in 2014. Many other trojans followed suit as they evolved: Trojan.Bedep and Trojan.Kovter adopted the same technique after Poweliks.
Based on our research, the most common infection vectors for this technique include the following:
Drive-by downloads / Exploit kits: In August 2014, the Angler EK became the first kit to infect a computer without writing the malware on the disk. Instead, the malware was injected directly into the process running the exploit plug-in. Over time, we have seen more instances of fileless infections using this infection vector.
Downloaders: Through this method, the downloader is written onto disk. Once it gets executed, it will retrieve the final payload and may delete itself. The final payload remains in memory, acting as the fileless infection.
One-click fraud: One-click fraud, which mostly targets Japanese and Chinese users, tricks a user into clicking a tempting offer. If this works, then a malicious file is downloaded onto the computer without the user's knowledge. The threat displays annoying/obscene pop-ups and asks the user to pay to remove them, in a similar manner to ransomware. A variant of Kovter, which is known for click-fraud, included fileless infection capabilities. While we haven't seen many threats conducting one-click fraud in a fileless manner, sooner or later attackers may engage in this method, as it is PE-free, exploit-free, and harder to detect. This is something that our paper will explore.
Our paper will explain and compare the most common ways in which malware authors use fileless infections today. We will discuss areas where we expect these methods to be used soon.